Unless you are in the secure mode it's unsafe to send the session id for the secure session. So how do you want to (re)establish the secure session?
Using the unsecure session id is forbidden as it can be faiked. Using the secure id is forbidden, as at this point the communication is not encrypted. > -----Ursprungliche Nachricht----- > Von: Joel Rees [mailto:[EMAIL PROTECTED]] > Gesendet: Mittwoch, 27. Marz 2002 11:16 > An: Tomcat Users List > Betreff: Re: sessions, security, and the RFCs <snip/> > Since only the browser which successfully logged on should > have the session id (cookie or link) for the secure session, > switching back and forth might be possible? <snip/> > The non-secure session id would be used to access an > intermediate page in https, and the intermediate page would check > for the secure cookie? Could this work? How dangerous would it be? <snip/> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
